Feeds

Proprietary software puts pacemaker users at risk

Open source group wants mandatory code review

Beginner's guide to SSL certificates

More than one-fourth of defective implantable medical devices discovered this year were probably the result of bugs in the software used to control them, a group advocating open source software claimed in a report that argues against the use of proprietary code in the life-saving products.

Although the pacemakers, implantable cardioverter defibrillators and other IMDs, or implantable medical devices, are heavily regulated by the US Food and Drug Administration, the source code for their underlying software is deemed the exclusive property of its manufacturers, the Software Freedom Law Center wrote in the report. As a result, doctors and patients are barred from scrutinizing the code for defects that could result in life-threatening conditions.

"Though the surge in IMD treatment over the past decade has had undeniable health benefits, device failures have also had fatal consequences," the authors wrote. "Research indicates that as IMD usage grows, the frequency of potentially fatal software glitches, accidental device malfunctions, and the possibility of malicious attacks will grow."

In the first half of this year, the FDA recalled 23 devices because there was a "reasonable probability that use of these products will cause serious adverse health consequences or death," according to the report. At least six of those defects likely stemmed from software bugs. One defibrillator recalled by a subsidiary of Medtronic had been the subject of failure reports that spanned its entire eight-year history including one "unconfirmed adverse patient event," the report claimed.

Chris Garland, an executive with the company said the recalled device was an external defibrillator used by paramedics and emergency personnel, and not one implanted in patients, as the report suggests.

From 1997 to 2003, at least 212 deaths resulted from defects in five different brands of defibrillators.

The report comes as researchers over the past few years have warned that implantable devices, particularly newer ones that are remotely controlled using radio signals, are vulnerable to attacks that can cause the devices to malfunction or expose vital signs and other sensitive patient data. Researchers have struggled to devise ways to secure the devices against tampering without preventing doctors from accessing them in the event of an emergency. Protections based on ultrasound waves and password tattoos are two of the proposed solutions.

The non-profit software group has offered a new approach: requiring device manufacturers to make all source code publicly auditable.

"Our intention is to demonstrate that auditable medical device software would mitigate the privacy and security risks in IMDs by reducing the occurrence of source code bugs and the potential for malicious device hacking in the long-term," the report states. "Although there is no way to eliminate software vulnerabilities entirely, this paper demonstrates that free and open source medical device software would improve the safety of patients with IMDs, increase the accountability of device manufacturers, and address some of the legal and regulatory constraints of the current regime."

The report, titled "Killed by Code: Software Transparency in Implantable Medical Devices," is here. ®

This article was updated to make clear that software defects are likely the cause of one-quarter of the recalls. It was also updated to add comment from Medtronic.

Internet Security Threat Report 2014

More from The Register

next story
Nexus 7 fandroids tell of salty taste after sucking on Google's Lollipop
Web giant looking into why version 5.0 of Android is crippling older slabs
Be real, Apple: In-app goodie grab games AREN'T FREE – EU
Cupertino stands down after Euro legal threats
Download alert: Nearly ALL top 100 Android, iOS paid apps hacked
Attack of the Clones? Yeah, but much, much scarier – report
Microsoft: Your Linux Docker containers are now OURS to command
New tool lets admins wrangle Linux apps from Windows
Bada-Bing! Mozilla flips Firefox to YAHOO! for search
Microsoft system will be the default for browser in US until 2020
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Getting ahead of the compliance curve
Learn about new services that make it easy to discover and manage certificates across the enterprise and how to get ahead of the compliance curve.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.